Analytics Story: Office 365 Account Takeover

Description

Monitor for activities and anomalies indicative of initial access techniques within Office 365 environments.

Why it matters

Office 365 (O365) is Microsoft's cloud-based suite of productivity tools, encompassing email, collaboration platforms, and office applications, all integrated with Azure Active Directory for identity and access management. O365's centralized storage of sensitive data and widespread adoption make it a key asset, yet also a prime target for security threats. The "Office 365 Account Takeover" analytic story focuses on the initial techniques attackers employ to breach or compromise these identities. Initial access, in this context, consists of techniques that use various entry vectors to gain their initial foothold . Identifying these early indicators is crucial for establishing the first line of defense against unauthorized access and potential security incidents within O365 environments.

Detections

Data Sources

References

• https://attack.mitre.org/tactics/TA0001/
• https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/
• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
• https://github.com/AlteredSecurity/365-Stealer
• https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
• https://www.alteredsecurity.com/post/introduction-to-365-stealer
• https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth
• https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
• https://www.cisa.gov/uscert/ncas/alerts/aa21-008a

Source: GitHub | Version: 2